npm-scan

This is an extensible, heuristic-based vulnerability scanning tool designed for installed npm packages. **WARNING:** npm-scan is currently in early development and should not be used in production environments. We are working on developing more accurate heuristics. We are actively looking for new contributors who have ideas for additional heuristics, so please feel free to reach out to us! :) Another significant project you can contribute to is npm-zoo, where previously malicious packages are uploaded for research purposes. We need more examples to help us develop better heuristics. **Quickstart:** To get started, run the following commands: ``` npm install https://github.com/spaceraccoon/npm-scan.git npx npm-scan ``` **Usage:** To use the tool, you can execute: ``` npx npm-scan [options] ``` **Options:** - `-V`, `--version` output the version number - `-p`, `--packages-dir ` set the directory path for packages; defaults to `node_modules` - `-e`, `--exclude-heuristics ` exclude a comma-separated list of heuristics - `-o`, `--output ` set the file path for JSON output - `-v`, `--verbose` print more details for each package scan - `-s`, `--strict` include low-risk heuristics - `-h`, `--help` output usage information **Developing:** To contribute to the development, follow these steps: ``` git clone https://github.com/spaceraccoon/npm-scan.git npm link npm run scan npm run test npm run lint ``` Make sure to push your changes on a separate branch. To add a new feature or improvement, please ensure you follow the contribution guidelines.